The bug appeared in the latest version of Apple's mobile operating system iOS 11.2, and could have let criminals unlock internet-connected doors.
A researcher disclosed the problem to tech news site 9to5Mac.
Apple said it had now disabled remote HomeKit access for shared users, as a temporary solution to the problem.
The company's HomeKit framework lets iOS devices control internet-connected gadgets made by a variety of manufacturers.
Customers do not need to update the software on their devices because the fix has been implemented on Apple's servers.
However, some HomeKit functionality will be temporarily unavailable.
9to5Mac said the flaw had "serious ramifications" but accepted it was "difficult" to exploit.
Apple said in a statement: "The issue affecting HomeKit users running iOS 11.2 has been fixed.
"The fix temporarily disables remote access to shared users, which will be restored in a software update early next week," it added.
The company has been criticised recently after some of its other software releases were found to contain serious bugs.
In October, many people found that the letter "i" was being replaced by the letter A and a symbol when they upgraded to iOS 11.
And in November, a major flaw was found in MacOS High Sierra - the most recent version - that made it possible to gain entry to a Mac without a password.
At the time, the company apologised and said "our customers deserve better".